Thingiverse – the biggest platform with free 3D printing models has been hacked. Have I Been Pwned? reports that there has been a hack and theft of a 36 GB backup file containing 228,000 unique e-mail addresses and other information enabling the identification of people who have an account on the platform. The data is circulating on the popular hacking forum.
Data includes e-mail addresses, passwords, usernames, IP addresses, and in some cases, physical addresses of computers. Thingiverse’s owner, MakerBot (owned by Stratasys), knows about the incident, but has yet to issue an official data leak statement.
The leak was discovered by Troy Hunt – creator of Have I Been Pwned? After analyzing the feed from the hacking forum, Hunt reported that the backup file was publicly dumped exactly one year ago, on October 13, 2020, and has been exposed ever since. He also adds that the leaked data appears to be a MySQL database that contains over 255 million lines of data. “The earliest dates in the dataset appear to be about ten years ago, but I haven’t analyzed them thoroughly enough,” says Hunt.
Hunt says the vast majority of email addresses appear to be in the form of webdev + [username] @ makerbot.com. The following is an example of a complete record retrieved from the data table:
1[XXXXX]1,'[username]','webdev+[username]@makerbot.com','$2y$10$X26cQ2uz5Uh1EyfIabIpguXHcS7G3uJ1AC8MnvxQ7dlFewy8wUWQq',NULL,NULL,'',0,'','2018-02-19 06:07:43','2018-02-19 05:51:17',0,'cc-sa',1,1,1,1,1,1,1,NULL,0,0,0,0,'',0,'AR','Maker/Consumer','','1099',0,'199[X]-0[X]-25 00:00:00',NULL,0,NULL
The good news is that there is no trace of clear text passwords in the published dataset. Nevertheless, it is worth thinking about changing the password – and above all checking if the ones used on Thingiverse are not the same ones you use on other, slightly more important platforms…? Unfortunately, my e-mail address was on the leaked list – luckily, the password I used on Thingiverse was insignificant (“junk”). Anyway, I have already changed it, which I also urge you to do.